Teacher
Professional
- Messages
- 2,670
- Reaction score
- 814
- Points
- 113
How search engine advertising has become a powerful tool for hackers.
Recent research has revealed that Chinese users who search for official versions of programs such as Notepad++ and VNote through search engines like Baidu are increasingly becoming victims of sophisticated attackers.
Attacks are carried out using fraudulent advertisements in search engines, as well as fake links that distribute Trojan versions of these programs. The ultimate goal is to install Geacon, a Golang implementation of Cobalt Strike.
Advertisements leading to fake websites[/CENTER]
Kaspersky Lab specialists have discovered a fraudulent website that appears in the Notepad++search results. The site is notable for the fact that its address contains a mention of VNote, and the program offered for download on the site uses the Notepad++logo.
But the further you go, the more interesting it becomes: the downloaded packages already contain " Notepad--", which, however, is not an invention of cybercriminals, since this is quite an existing legitimate text editor, which is an almost complete copy of Notepad++ for the Chinese market, developed by local specialists.
Funny inconsistencies on a fraudulent site
Despite the fact that the malicious site can download three versions of the program (for Windows, Linux, and macOS), the link for Windows for some reason leads to the official Gitee repository with the legitimate Notepad installer--. At the same time, versions for Linux and macOS lead to malicious installation packages on a third-party resource.
The second fake page, which is located for the query "vnote" in the Baidu search engine, in turn, tries to imitate the already official website of the VNote program, completely copying its style. Of course, malware is also present on this page.
Comparison of fake and real VNote sites
A study of Trojan installers showed that they are designed to download additional malicious code from a remote server. This code is able to create SSH connections, perform file operations, list processes, access clipboard contents, run programs, upload and download files, take screenshots, and even go to sleep mode. It is managed over the HTTPS protocol.
These examples are only part of a broader operation to spread malware through advertising campaigns that were previously used to promote viruses such as FakeBat (also known as EugenLoader), using MSIX installation files disguised as Microsoft OneNote, Notion, and Trello applications.
Kaspersky Lab specialists intend to continue their research on this malicious campaign in order to identify additional stages of the attack and prevent the spread of malware among users.
Users are advised to take extra care when downloading programs from the Internet and pay attention to any questionable details (from address mismatches to suspicious design or obvious errors) on websites that offer popular software.
Recent research has revealed that Chinese users who search for official versions of programs such as Notepad++ and VNote through search engines like Baidu are increasingly becoming victims of sophisticated attackers.
Attacks are carried out using fraudulent advertisements in search engines, as well as fake links that distribute Trojan versions of these programs. The ultimate goal is to install Geacon, a Golang implementation of Cobalt Strike.
Advertisements leading to fake websites[/CENTER]
Kaspersky Lab specialists have discovered a fraudulent website that appears in the Notepad++search results. The site is notable for the fact that its address contains a mention of VNote, and the program offered for download on the site uses the Notepad++logo.
But the further you go, the more interesting it becomes: the downloaded packages already contain " Notepad--", which, however, is not an invention of cybercriminals, since this is quite an existing legitimate text editor, which is an almost complete copy of Notepad++ for the Chinese market, developed by local specialists.
Funny inconsistencies on a fraudulent site
Despite the fact that the malicious site can download three versions of the program (for Windows, Linux, and macOS), the link for Windows for some reason leads to the official Gitee repository with the legitimate Notepad installer--. At the same time, versions for Linux and macOS lead to malicious installation packages on a third-party resource.
The second fake page, which is located for the query "vnote" in the Baidu search engine, in turn, tries to imitate the already official website of the VNote program, completely copying its style. Of course, malware is also present on this page.
Comparison of fake and real VNote sites
A study of Trojan installers showed that they are designed to download additional malicious code from a remote server. This code is able to create SSH connections, perform file operations, list processes, access clipboard contents, run programs, upload and download files, take screenshots, and even go to sleep mode. It is managed over the HTTPS protocol.
These examples are only part of a broader operation to spread malware through advertising campaigns that were previously used to promote viruses such as FakeBat (also known as EugenLoader), using MSIX installation files disguised as Microsoft OneNote, Notion, and Trello applications.
Kaspersky Lab specialists intend to continue their research on this malicious campaign in order to identify additional stages of the attack and prevent the spread of malware among users.
Users are advised to take extra care when downloading programs from the Internet and pay attention to any questionable details (from address mismatches to suspicious design or obvious errors) on websites that offer popular software.
